Encrypted Federal Radios Can Be as Revealing as Police Scanners

By Aliya Sternstein

April 22, 2013

Federal radios with encryption can be nearly as insecure as the Boston Police scanners that allowed the public to tune in to the hunt for a suspected bomber, research shows. The Homeland Security Department and other agencies are buying more mobile devices that use P25, a set of wireless voice communications protocols that offers encoding. But it works only if they turn it on.

"We've collected several years’ worth of unintentionally clear federal radio traffic. Only one agency has crypto working reliably," University of Pennsylvania computer science professor Matt Blaze tweeted on Saturday, while commenting on the inadvertent transparency of the police chase. "The one fed [law enforcement] agency whose radio traffic is almost never in the clear is the Postal [Inspection Service]. Don't mess with them," he said.

Many Internet users on Friday were glued to various live streams of police transmissions broadcasting the pursuit of Boston Marathon bombing suspect Dzhokhar Tsarnaev. Had he also been listening to the chatter, Tsarnaev possibly could have escaped. It is unclear what security configurations authorities in Boston were using. But even federal P25 communications have gaping holes, Blaze discovered during a two-year experiment.

A significant portion of the traffic "is sent in the clear, despite the users' apparent belief that it is encrypted. We captured an average of 20 to 30 minutes per day per city of highly sensitive 'unintended' clear text," he wrote on his blog in 2011. "The clear text included all manner of highly sensitive operational details, such as identifying features of undercover operatives and informants, identities and locations of surveillance targets, plans and locations for forthcoming takedowns, and details of executive protection operations."

The 2011 findings were based on leakage from P25 systems in several metropolitan areas using frequencies assigned to federal officials. "We collected data specifically on systems carrying a high volume of sensitive traffic from trained and motivated users: the encrypted tactical two-way radio networks used by federal agencies conducting criminal and national security investigations," Blaze wrote.

He said one problem is that the technology does not clearly notify users whether the encryption feature is on or off, "and radios set to clear mode will happily interoperate with radios set to encrypted mode."

Blaze does not blame the security weaknesses on user error. "The problem of unintended sensitive clear text rests squarely with the radios, not their users, and it is important to fix the problem rather than blame the victim," he wrote. Blaze added he is working with federal personnel to change the default features on handsets so encryption status is more visible.

The endeavor, as of Monday, had tightened controls “only to a very limited extent,” he told Nextgov in an email. “The fundamental problems are still there.”